protobuf icon indicating copy to clipboard operation
protobuf copied to clipboard

Published 20 hours ago verified publisher icon golang

Is golang-protobuf affected by CVE-2021-22570 ?

Open cjcjameson opened this issue 3 years ago • 6 comments

Reading https://nvd.nist.gov/vuln/detail/CVE-2021-22570 , I don't know if it affects Golang usage of protobufs, and if so, what version of golang protobufs we should upgrade to to make sure we bring in a version of underlying protobufs to have the appropriate fix.

Glad to learn more about how to read the lock-files etc.; it's been hard for me to trace the dependencies!

cjcjameson avatar Mar 22 '22 18:03 cjcjameson

This appears to be a bug in the C++ code. The Go protobuf implementation does not link in any of the C++ code. From the release notes, it's unclear to me whether this bug affects the protoc binary or the C++ runtime implementation of protobufs. If the former, then upgrading to a newer version of protoc should be sufficient. If the latter, then the Go protobuf ecosystem is entirely unaffected.

dsnet avatar Mar 22 '22 18:03 dsnet

Poking around as well, the vulnerability description is indeed lacking on specificity, but it does appear to be an issue with the C++ code only, either protoc (as mentioned just upgrade) or the C++ generated code (as mentioned would not affect the Go code).

Edit: a little more poking around, and this definitely looks like something protoc specific, as it also affected mingw-protobuf

puellanivis avatar Mar 22 '22 18:03 puellanivis

I think this is https://github.com/anchore/grype/issues/558

znkr avatar Jun 02 '22 13:06 znkr

I couldnt find any definitive answer, does this vulnerability apply to golang implementation of protobuf? The grype discussion is only about different versions of c++ and golang protobufs, but doesnt answer if the vulnerability exists in golang implementation, or which version fixes it?

MrGlobi avatar Mar 15 '23 11:03 MrGlobi

Hi, is the CVE-2021-22570 confirmed as a false positive?
I found that the following analysis affects the go. But there is no valid information that it affects go, I think this looks like a false positive. https://github.com/advisories/GHSA-77rm-9x9h-xj3g image

The CVE-2021-22570 has been added to the ignore list. https://github.com/anchore/grype/pull/1062/files

stillyger avatar Sep 11 '23 03:09 stillyger

IIUC, the issues was in the protoc compiler: https://github.com/protocolbuffers/protobuf/issues/9483#issuecomment-1040393475. Since that compiler is not part of the Go module, the module itself is not affected. However, it's still possible to be affected by the CVE in a Go codebase if an older protoc is used.

znkr avatar Sep 11 '23 09:09 znkr